java.lang.IllegalStateException: No PEM work directory configured

118 views Asked by At

I have a working HTTP/2 configuration with an embedded Jetty 10. Now I want add HTTP/3 support. I follow the Jetty HTTP/3 documentation. I get the follow exception:

java.lang.IllegalStateException: No PEM work directory configured
    at org.eclipse.jetty.quic.server.QuicServerConnector.findPemWorkDirectory(QuicServerConnector.java:192)
    at org.eclipse.jetty.quic.server.QuicServerConnector.doStart(QuicServerConnector.java:171)
    at org.eclipse.jetty.http3.server.HTTP3ServerConnector.doStart(HTTP3ServerConnector.java:61)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
    at org.eclipse.jetty.server.Server.doStart(Server.java:428)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)

What is a PEM work directory? Does its contains any security relevant information? Must the directory contains some files?

The SSL certificate is loaded into a keystore and work with HTTP/2 and old HTTPS.

1

There are 1 answers

3
sbordet On BEST ANSWER

Jetty's implementation, like many others, use the quiche library as the underlying implementation of QUIC, the protocol at the base of HTTP/3.

Quiche (written in Rust), does not use Java KeyStores, so you have to provide the public and private key as PEM files.

Jetty will take care of converting your KeyStore to PEM files, but it needs a directory to save the PEM files to. Since one of the PEM files is the private key, the PEM directory must be adequately protected using file system permissions, and that is why Jetty cannot use a default PEM directory (for example, /tmp/ would be a terrible choice because anyone will have access to your PEM files).

You just to specify a directory to store your PEM files (make sure its file permission are adequate), and Jetty will do the rest.